Back to Home

Search for errors using Google or “hacking” accounts on badoo.com

security · security · badoo

Search for errors using Google or “hacking” accounts on badoo.com

    I want to tell you how Badoo company protects the accounts of its customers. This article is written for educational purposes only. I do not push anyone to commit unlawful acts and do not pursue any malicious intent.

    image

    Not all Bug Bounty programs are equally useful.


    In March 2013, Badoo announced the “Test Badoo for Strength!” Contest.
    The competition attracted prizes and I, pleased with the success in finding vulnerabilities for Yandex, registered on the site, looked at what links came in the letters, and simply drove them into the Google search bar.

    Initially, I discovered links that could be used to register under someone else’s email address without confirmation, and received a letter in response
    “Thank you, but this is not a vulnerability. Please continue to test us for strength. ”

    Google Dorks Queries, Bug Finder


    You can use Google Dorks to search for links ; all possible query options are collected and sorted on the site.
    Then I found a few more "little things", the answer was the same.
    My last find was a lot of links that you can use to log in to badoo.com, get full access to your user account, while not having any hacking skills. There are user accounts from different countries to choose from, just follow the link and you are authorized. In addition, links can be followed more than once.

    We drive into Google, for example, site: https: //eu1.badoo.com/access.phtml Follow the
    image

    links and get into user profiles:
    image

    Correspondence with Badoo


    In this case, I received an answer only to the third letter:
    “This is not a vulnerability, this is a mistake and we will definitely fix it.
    You sent us several applications regarding Google indexed pages, all of these applications have been told you that this is not a vulnerability.
    The fact is that for legal users such links do not harm - if the email is already in the system, then the new user will not be able to register with the same email.
    As for the links to change the password, they are all invalid - when we go to them, we say that "the link has expired."
    So we will remove excess from the issuance of Google, but not immediately - indexing is not done at the moment.
    If you still find links that work and allow you to harm users - please send detailed instructions on how you can harm other users, then we will consider this a vulnerability. ”

    I tried to explain the danger of logging in to someone else’s account, and asked if I could write an article on Habrahabr, here’s what I got in response:
    “Once again, we looked very carefully at your application and decided that this problem is not a Badoo vulnerability.

    When a user registers on our site, he himself indicates his email. In some cases, users specify an email that, for example, automatically publishes all received messages openly. Or users themselves in some other way openly publish the letters received from Badoo including authorization links. Then, Google finds the published links and includes them in its search results. If you go to sites like birgo.mynet.com or twitmail.com , you will find a large number of messages from us that users themselves made publicly available, knowingly or by mistake:
    birgo.mynet.com/badoo/archive/2011/2
    twitmail.com/email/146079226/29/3-people-on-Badoo-are-waiting-to-chat-with-you-

    We do not control such user actions and cannot stop them. However, a few weeks ago we took measures to automatically invalidate the authorization links found by popular search engines. That is why out of the sheer number of links in Google’s SERPs, only a very small number remain active. They were indexed by Google before we took action. As you reindex, all such links will be deactivated.
    This decision of the jury on your application is final. "

    Customer care


    More than four months have passed since my correspondence with Badoo, on Google you can still find authorization links that are not disposable.

    Another interesting query: inurl: register.phtml site: badoo.com
    This query finds the types of links:
    eu1.badoo.com/invite/register.phtml?u=243016784&i=72376&p=8&e=Anna%40yahoo.com&uin=ANY_EMAIL.COM&m = 21 & n = YWx1bW5pX2llZmV1aWlAeWFob29ncm91cHMuY29t & share_id = JiBZYnOGQk
    This is a user’s invitation to the site. In this link, you can pass any email that was not registered on the site as a UIN parameter, and you won’t need to confirm the registration. The only inconvenience is that after clicking on the link from Google and replacing email, you need to clear your browser cookie.

    uin = Any% 20email , no validation check:
    image

    I decided to write this article, because Badoo does not consider the possibility of authorization under someone else’s account a vulnerability.
    PS Look for bugs using the Google: inurl: phtml site: badoo.com

    PPS After Badoo answer in the comments, on request inurl: forgot_enter site: badoo.com managed to gain access to the activity of the account ( video evidence , the file can be opened in any browser )

    Read Next